I had a few problems with a customer’s deployment of Sametime 9 which probably come down to deployment plans and the order of the servers being installed.

During installation I had problems detailed in “System version is null” on new IBM Sametime Video Manager installation which forced me to uninstall the VMGR and install again with a new deployment plan. The outcome of this was that I could not administer the default policies nor create new Media Manager policies in the SSC, I saw the following error, “AIDSC#####: Could not connect to Sametime Video Manager. Either VMgr is not installed or server is not up. Please retry after installing VMgr or starting it.”

I saw in the deployment manager SystemOut.log “[17/10/14 17:02:04:101 BST] 00000220 SametimeVmgrU E   Forbidden” but nothing much else to write home about.

I raised a PMR with IBM and gathered some trace and sent it off. The PMR ended up with Ankit Vij in L3 who worked as a developer on the propagation of policies from the SSC to the VMGR.

After some to’ing and fro’ing it was identified that there were missing credentials in the DEPLOYMENT table of the SSC database. In the DEPCONF  column of the Conference Manager deployment plan lies XML data. In the data are two fields VMGRUSER and VMGRPASSWORD. In the customer’s data these values were empty, this is why the SSC couldn’t access the VMGR’s policies.

There are few ways in which to edit the data, Data Studio is nice and easy and can export the table, edit it and then import it again in no time at all but as I was accessing their environment using Citrix this wasn’t an option because I couldn’t install any software. Using the CLI was the only way to do it.

My first attempts of using the DB2 EXPORT command failed because the tables have LOBs which are truncated when you export the data to a csv file. The way around it is to export to a csv file but also export all the data to LOB files. This can be achieved using the following command.

C:\Windows\system32>db2 “export to d:\export\deployment.csv of del lobs to d:\export\lobs\ modified by lobsinsepfiles select * from ssc.deployment”
SQL3104N  The Export utility is beginning to export data to file
“d:\export\deployment.csv”.

This produces a csv. Where there was LOB data a .lob file is produced and the csv details which number .lob file holds the information for that particular entry.

Once I had found the .lob file referenced for the Conference Manager deployment plan in the DEPCONF  column I had to copy the contents of the .lob to a new text file.

The VMGRUSER and VMGRPASSWORD values were empty so I then updated them with wasadmin (could be admin/admin) and the password associated with it.

Next I had to add to the beginning of the xml data UPDATE SSC.DEPLOYMENT SET DEPCONF=’ and to the end ‘ WHERE DEPID=’14908a6aa1d-00000000000a-MediaDep’

The DEPID is easy to come about and is listed DEPID column for the Conference Manager deployment plan.

The end result is a single line containing 18000+ characters looking something like this.

UPDATE SSC.DEPLOYMENT SET DEPCONF='<?xml version=”1.0″ encoding=”UTF-8″?>………………………….</parameter></parameters></Config>’ WHERE DEPID=’14908a6aa1d-00000000000a-MediaDep’

As the command was too large to paste into the CLI I saved it to a .sql file.

I stopped STConsoleServer, the node agent and the deployment manager.

Before changing the database I needed to back it up.

C:\Windows\system32>db2 backup database stsc
SQL1035N  The database is currently in use.  SQLSTATE=57019

I then needed to force the application connections from the database.

C:\Windows\system32>db2 list applications

Auth Id  Application    Appl.      Application Id                                                 DB       # of
Name           Handle                                                                    Name    Agents
——– ————– ———- ————————————————————– ——– —–
DB2ADMIN db2jcc_applica 41961      192.168.x.x.49442.141124093130                              STSC     1
DB2ADMIN db2jcc_applica 45374      192.168.x.x.61230.141125142939                              STMS     1
DB2ADMIN db2jcc_applica 45483      192.168.x.x.61666.141125152718                              STMS     1
DB2ADMIN db2jcc_applica 41949      192.168.x.x.49385.141124093116                              STMS     1

C:\Windows\system32>db2 force application(41961)
DB20000I  The FORCE APPLICATION command completed successfully.
DB21024I  This command is asynchronous and may not be effective immediately.

After all applications are disconnected I could run the backup.

 C:\Windows\system32>db2 backup database stsc

Backup successful. The timestamp for this backup image is : 20141125154621

C:\Windows\system32>db2 connect to stsc

   Database Connection Information

 Database server        = DB2/NT64 10.1.0
 SQL authorization ID   = DB2ADMIN
 Local database alias   = STSC

At this point I am going to run the UPDATE command using the .sql file I created.

C:\Windows\system32>db2 -vf C:\DB2\ssc.sql

DB20000I  The SQL command completed successfully.

Normally I would run db2 -tvf but that didn’t work, I think because I didn’t use semicolons for delimiters in the .sql file. Anyway, it worked.

I started the deployment manager, node agent and STConsoleServer and I could now edit the Media Manager policies.

Many thanks to Imran and Ankit at IBM for helping me through this frustrating but interesting problem.

I had come back on site to a customer to deploy some other Sametime 9 services and found that the managed-settings.xml wasn’t being applied to the clients.

I remembered reading Gabriella Davis’ blog http://turtleblog.info/2014/04/02/problems-deploying-sametime-policies-the-missing-link so I found it and at first I enabled POLICY_DEBUG_LEVEL=5 and then updated console.properties adding  SSCUserName, SSCPassword and removing SSCEncodedAuthorization.

I added the following trace to STConsoleServer, *=info:com.ibm.sametime.console.admin.plugins.policy.*=all which allowed me to see the policies read from the STSC.POLICY.TEMPLATE table to make sure they were populated.

The Community server was restarted that evening but still policies were not being applied to the clients. Thanks to the debug I then had some useful output in the Trace directory to look through and found this:

[ 07:58:57.560 | 04.12.2014 | FINEST | 1 ] : DbXmlBlackBox : readSortedData : Policy DTO=> Policy ID: Managed.settings.28/10/14;Policy Weight: 3;Policy Label: null;Policy Type: USER
[ 07:58:57.576 | 04.12.2014 | SEVERE | 1 ] : DbXmlBlackBox : readSortedDataForProducts : PolicyException:
com.ibm.sametime.policy.types.PolicyException: com.ibm.sametime.console.admin.services.exception.ServiceException: com.ibm.sametime.console.common.http.api.exception.HttpBadRequestException: Not Found
Caused by: com.ibm.sametime.console.admin.services.exception.ServiceException: com.ibm.sametime.console.common.http.api.exception.HttpBadRequestException: Not Found

I previously created an IM policy called “Managed settings 28/10/14″ which wasn’t liked. As there is xml involved I removed the slashes to leave “Managed settings 281014.”

I restarted STConsoleServer and then restarted the STPolicy Windows service on the Community server and this triggers activity on the STConsoleServer. Now that the slashes were removed the files policies.server.xml was updated adding the managed settings policy to policies.user.xml which is in the program directory of the Community server. Subsequently, the policy was then applied to the clients.

http://ssc:9080/stpolicy/policy/all

This provide high level information on all policies, IM, audio/video etc.

http://ssc:9080/stpolicy/policy/av.anonymous.policy & http://ssc:9080/stpolicy/policy/av.default.policy

These URLs provide details of the default audio/video policies.

I found that for a customer the meetings icons in the STProxy web client wasn’t bringing up the user’s meeting rooms. After a bit of debugging server trace showed that an LtpaToken was being generated but the browser wasn’t getting an LtpaToken returned to it. It drove me made because the STProxy doesn’t need to have SSO enabled for it to work like the Meeting server does, regardless of that, SSO worked in all directions between the Community server and the Meeting server and the STProxy is in the same cell as the Meeting server so SSO should work!

I raised a PMR and IBM asked me to add the following to the stproxyconfig.xml. After a sync and a restart of STProxy all is well.

<tokenDomain>DOMAIN.CO.UK</tokenDomain>

(replace with your domain)

I’m not sure whether this is missing from the patch they are running which is CKEY-9L9JM5 which is not the latest patch released a couple of weeks ago BPAS-9QSNS7.

The comment from IBM is “for long term the code should be fixed, dev created rtc ticket for it as well as APAR created: LO83144″

A customer had a problem with a single user not being able to authenticate with Connections. The user had an active profile and they use Domino LDAP.

The SystemOut.log showed.

[1/5/15 13:27:31:824 GMT] 00000190 LTPAServerObj E   SECJ0369E: Authentication failed when using LTPA. The exception is com.ibm.websphere.wim.exception.PasswordCheckFailedException: CWWIM4529E  The password verification for the ‘juser’ principal name failed. Root cause: ‘javax.naming.AuthenticationException: [LDAP: error code 49 – Failed, invalid credentials for CN=Joe User,OU=xxx,OU=xx,o=xxx]; Resolved object: ‘com.sun.jndi.ldap.LdapCtx@8dd3a48”..
[1/5/15 13:27:31:825 GMT] 00000190 FormLoginExte E   SECJ0118E: Authentication error during authentication for user juser

Looking in the associated FFDC log I found.

Caused by: com.ibm.websphere.wim.exception.AuthenticationNotSupportedException:
CWWIM4530E  The authentication is not supported by the ‘xxx LDAP’ repository. Root cause: ‘javax.naming.AuthenticationNotSupportedException: [LDAP: errorcode 48 – Failed, server access denied]; Resolved object: ‘com.sun.jndi.ldap.LdapCtx@af24747e”

“errorcode 48 – Failed, server access denied” interested me but I couldn’t find reference to it anywhere.

The user’s person document looked OK. I asked the customer if the user was in any deny access groups which turned out to be the cause of the problem. The user had been added to a deny access group for the LDAP server. Removing her allowed her to authenticate.

I have written a couple of posts on this because I find the application extremely helpful in diagnosing network related issues with connection to APNs (Apple Push Notification service) so that iOS devices can receive IMs when the application is “backgrounded.”

Here is the application which includes a text file providing you with the correct syntax to us which would go something like this, for Windows.

D:\support\apnstest>d:\IBM\WebSphere\AppServer\java\bin\java.exe -jar apnstest.jar -k D:\IBM\WebSphere\AppServer\profiles\xxxxSTPPNProfile1\config\cells\xxxx01SSCCell\nodes\xxxxSTPNode1\apns-prod.pkcs12
APNS Test ScriptVersion: 2.0.0
Testing using key: D:\IBM\WebSphere\AppServer\profiles\xxxxxSTPPNProfile1\config\cells\xxxxx01SSCCell\nodes\xxxxSTPNode1\apns-prod.pkcs12
Testing using server: gateway.push.apple.com
Testing using port: 2195
About to attempt to connect to APNS
Initialized SSL Context
SSL Socket Created
Starting SSL Handshake
SSL Handshake Complete
CN=gateway.push.apple.com, O=Apple Inc., L=Cupertino, ST=California, C=US
CN=Entrust Certification Authority – L1C, OU=”(c) 2009 Entrust, Inc.”, OU=www.entrust.net/rpa is incorporated by reference, O=”Entrust, Inc.”, C=US
Successfully Connected to APNS
Test notification will not be sent

D:\support\apnstest>d:\IBM\WebSphere\AppServer\java\bin\java.exe -jar apnstest.jar -k D:\IBM\WebSphere\AppServer\profiles\xxxxxSTPPNProfile1\config\cells\xxxx01SSCCell\nodes\xxxxSTPNode1\apns-prod.pkcs12 -s feedback.push.apple.com -p 2196
APNS Test ScriptVersion: 2.0.0
Testing using key: D:\IBM\WebSphere\AppServer\profiles\xxxxSTPPNProfile1\config\cells\xxxx01SSCCell\nodes\xxxxSTPNode1\apns-prod.pkcs12
Testing using server: feedback.push.apple.com
Testing using port: 2196
About to attempt to connect to APNS
Initialized SSL Context
SSL Socket Created
Starting SSL Handshake
SSL Handshake Complete
CN=feedback.push.apple.com, O=Apple Inc., L=Cupertino, ST=California, C=US
CN=Entrust Certification Authority – L1C, OU=”(c) 2009 Entrust, Inc.”, OU=www.entrust.net/rpa is incorporated by reference, O=”Entrust, Inc.”, C=US
Successfully Connected to APNS
Test notification will not be sent

I had a wobble when applying the latest POODLE/SSLV3 (AAZI-9RGLXV) patch to my CentOS 6.5 server. It kept failing and the following exceptions were seen in /opt/ibm/dominodata/SametimeInstall.log

(Feb 19, 2015 10:50:30 PM), Install, com.lotus.sametime.install.product.SSCReg, err, com.ibm.sametime.console.deployment.client.exception.SCClientException: AIDSC0884E: Failed to do IO operation with file.Server returned HTTP response code: 500 for URL: http://ssc.collaborationben.com:9080/console/deployment/getDepIdByDepName
STACK_TRACE: 18
com.ibm.sametime.console.deployment.client.exception.SCClientException: AIDSC0884E: Failed to do IO operation with file.Server returned HTTP response code: 500 for URL: http://ssc.collaborationben.com:9080/console/deployment/getDepIdByDepName
    at com.ibm.sametime.console.deployment.client.util.RestURL.sendData(RestURL.java:358)
    at com.ibm.sametime.console.deployment.client.util.ClientUtility.getDepIdByDepName(ClientUtility.java:1380)
    at com.ibm.sametime.console.deployment.client.api.Deployment.getDepIdByDepName(Deployment.java:1674)

(Feb 19, 2015 10:50:30 PM), Install, com.lotus.sametime.install.product.SSCReg, err, An error occurred and product update failed.  Look at the log file /opt/ibm/dominodata/SametimeInstall.log for details.
(Feb 19, 2015 10:50:30 PM), Install, com.lotus.sametime.install.product.SSCReg, err, ProductException: (error code = 601; message=”err”; additional data = [com.ibm.sametime.console.deployment.client.exception.SCClientException: AIDSC0884E: Failed to do IO operation with file.Server returned HTTP response code: 500 for URL: http://ssc.collaborationben.com:9080/console/deployment/getDepIdByDepName%5D)
STACK_TRACE: 14
ProductException: (error code = 601; message=”err”; additional data = [com.ibm.sametime.console.deployment.client.exception.SCClientException: AIDSC0884E: Failed to do IO operation with file.Server returned HTTP response code: 500 for URL: http://ssc.collaborationben.com:9080/console/deployment/getDepIdByDepName%5D)
    at com.lotus.sametime.install.product.SSCReg.setSSCStatus(SSCReg.java:328)

I also saw the following in the same file.

(Feb 19, 2015 10:50:03 PM), Install, com.lotus.sametime.install.wizard.GetSSCEncodedPassword, msg1, loading /opt/ibm/dominodata/console/console.properties
(Feb 19, 2015 10:50:03 PM), Install, com.lotus.sametime.install.wizard.GetSSCEncodedPassword, msg1, Encoded password found. Decoding…
(Feb 19, 2015 10:50:03 PM), Install, com.lotus.sametime.install.wizard.GetSSCEncodedPassword, msg1, username = wasadmin
(Feb 19, 2015 10:50:03 PM), Install, com.installshield.full.event.dialog.console.PanelSSCUpgradeLoginConsoleImpl, msg1, SC installation detected
(Feb 19, 2015 10:50:03 PM), Install, com.installshield.full.event.dialog.console.PanelSSCUpgradeLoginConsoleImpl, msg1, loading /opt/ibm/dominodata/console/console.properties
(Feb 19, 2015 10:50:03 PM), Install, com.installshield.full.event.dialog.console.PanelSSCUpgradeLoginConsoleImpl, msg1, Encoded password found. Getting previously decoded name and password

I changed the WAS administrator user to use an LDAP based account so I was wondering why wasadmin was still appearing even though /opt/ibm/dominodata/console/console.properties had the new user name and password.

In console.properties I saw that “SSCEncodedAuthorization” was listed. This is the encoded password for the admin account. I removed this from console.properties and ran setuplinux.bin -console again and it upgraded fine.

IBM released two Technotes for Sametime and POODLE Security Bulletin: Vulnerability in SSLv3 affects Sametime (CVE-2014-3566) and Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566)

What wasn’t clear (at first) was what actually needed to be done to disable SSLv3 and ensure that Sametime functions properly. Off the back of another PMR relating to the VMCU I managed to get some of Tony Payne’s time to fire off some questions.

The patches available in Security Bulletin: Vulnerability in SSLv3 affects Sametime (CVE-2014-3566) are to resolve problems within Sametime and DO NOT DISABLE SSLV3. These problems are.

•  In Media servers SSL v3 was still enabled for backend server-to-server connections.
• After making the POODLE security change on SSC as described in this bulletin, the installers for Sametime products (Advanced, Meetings, Media, Proxy, and Community Servers) are not able to connect to the SSC server and policies are not getting synched from the SSC into the Community Server.

So, you need to apply the patches to your servers and then you need to move onto the steps detailed in Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566)

Before you move onto WAS you might want to know which servers to apply the patches to. The Technote is quite clear but what if you have Edge components? If you do, then the SIP Edge proxy does not need to have the Media Manager code ran against is and nor does the TURN server. If you have an HTTP Edge proxy which sits in front of you Meeting server then this will need the patch applied as it communicates with the SSC, unlike the TURN and SIP Edge proxy. You do need to patch any SIP/HTTP proxies in front of the CM, SIP PR or Meeting servers which may be on their own node and hence their own profile.

After you have installed the patches you then need to disable SSLv3. To do this you can install ifixes or simply turn it off from within the SSC. You should also disable this from within the ISC of your SIP Edge proxy and Video Manager server.

The ifixes remove the ability to set or use SSLv3 so the net effect is that it makes the change within the SSC/ISC.

For my deployment I simply changed the settings within the SSC/ISC. To disable SSLv3 you need to do the following.

• Log in to the SSC/ISC.
• Go to Security – SSL certificate and key management – SSL configurations – CellDefaultSSLSettings – Quality of protection (QoP) settings. For VMGR and SIP Edge proxy you can update the NodeDefaultSSLSettings.
• Change the Protocol from SSL_TLS to TLS.
• Save and sync the changes to your nodes.
• Stop all application servers.
• Stop all node agents.
• Update the ssl.client.props in each profile replacing “om.ibm.ssl.protocol=SSL_TLS” with “om.ibm.ssl.protocol=TLS”
• Don’t forget the VMGR and Edge servers.
• Restart the deployment manager.
• In each profile run ./syncNode.sh ssc.collaborationben.com 8703 -username adminuser-password ******** to synchronise the node with the deployment manager.
• Start each node agent and then each application server.
• Test.

Testing

To test, find yourself a *nix machine and run the following command “openssl s_client -connect meeting.collaborationben.com:443 -ssl3″ and you should get something like the following response.

CONNECTED(00000003)
139961097578312:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
—
no peer certificate available
—
No client certificate CA names sent
—
SSL handshake has read 0 bytes and written 0 bytes
—
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1424780572
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

If SSLv3 was still enabled you would see something very different. You will see the SSL certificate returned and something like the following.

New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DES-CBC3-SHA
    Session-ID:

Problems

I had one problem applying the patch to the VMCU. The instructions say to run ./upgrade.sh but doing so I got the following error.

[root@vmcu SametimeVideoMCU]# ./upgrade.sh
Sametime Video MCU status:SoftMcu service is down
./upgrade.sh: line 15: [: too many arguments
./upgrade.sh: line 17: [: too many arguments
./upgrade.sh: line 20: [: too many arguments
./upgrade.sh: line 23: [: too many arguments
Reading property file /opt/IBM/Sametime/STVideoMCU/console.properties..
Checking Java version:
java version “1.6.0_24″
OpenJDK Runtime Environment (IcedTea6 1.11.14) (rhel-1.65.1.11.14.el6_4-x86_64)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)
Java major version is: 6
Checking for license..
Exited with: 9
License status: 9
License accepted. Proceeding with upgrade:  9
./mcms/Scripts/InstallValidator.sh
313561 blocks
All System requirements met for upgrade. Proceeding with Sametime Video MCU upgrade.
Backing up Sametime Video MCU
There is another operation currently in progress
Unable to backup Sametime Video MCU configuration. Upgrading without a backup may result in loss of data. Aborting upgrade.

I ran “chkconfig soft_mcu off” so the VMCU didn’t start after a reboot and stopped it. On OS restart the same happened. I reproduced this on a customer server and my own.

IBM came back with a few steps, although incomplete, they pointed me in the following direction. I did the following:

• rpm -qa ‘ibm-sametime*’
• rpm -e $(rpm -qa ‘ibm-sametime*’)
• cd /opt/IBM/Sametime/STVideoMCU/
• Ensure console.properties is correct.
• ./uninstallVideoMcu.sh
• rpm -qa ‘ibm-sametime*’ to check the RPMs have been removed.
• Change directory to the patch.
• Ensure console.properties is correct.
• ./install.sh
• yum update openssl to ensure openssl is up to date.
• Restart OS due to openssl update.

This effectively uninstalls the VMCU and unregisters it and then installs it again (albeit the new version) and uses the original deployment plan so do not create a new one.

IBM are hosting an open mic on the 11th March 2015 on this subject. I guess they have been getting a few queries from people. I hope this blog means you can get on with this instead of waiting for the 11th.

On all builds of IBM Connections 5.0 CR02 I have faced a problem with URL preview not working when forcedConfidentialCommunications is enabled in LotusConnections-config.xml.

In the Knowledge Center a number of people have tried to get this working and some have settled on disabling forcedConfidentialCommunications and forcing SSL on the web server. I don’t like this approach due to the rewrites needed and the uncertainty of what may change in the future.

I raised a PMR with IBM since this problem was supposed to be fixed in LO82306 which was included in CR02. After a bit of to’ing and fro’ing IBM provided me with LO84882. On applying the ifix URL preview now works.

I like the integration points between Connections and Sametime. The meeting room widget is a useful bridge which allows you to create meeting rooms to be used for a community. This means there is no need to create your own and try to remember who needs access to the room, whether the content needs to be removed etc. The widget keeps the membership of the meeting room in line with the membership of the community via a member synchroniser (or synchronizer).

I had some problems with CR02. I didn’t have the same problems with 4.5 and various CRs.

Firstly, the documentation in the knowledge center is inaccurate and a bit sloppy though I think that was still the case with 4.5. You can see the various comments me and others have posted on the pages. Read these comments, as I don’t know whether IBM have updated the main text yet.

If you follow the instructions as well my comments you should get as far as getting 403 exceptions in the widget. This is an AJAX proxy error BUT based on the documentation the configuration is correct. I raised a PMR with IBM and over the weeks the following steps were taken which resolved the problem.

I will provide snippets of the various files I made changes to so please supplement the knowledge center with my findings.

Ifixes

There are two ifixes I applied.

LO84327: [CR2 IFIX NEEDED]BACK PORT IC DEFECTS 132826 \133551\ 133335\130590 TO THE 5.0 CR STREAM TO SUPPORT THE SAME
http://www-01.ibm.com/support/docview.wss?crawler=1&uid=swg1LO84327

LO84399: WIDGETS (3RD PARTY) NOT LOADING IN COMMUNITIES AFTER UPGRADING TO IC5.0 CR2
https://www-304.ibm.com/support/entdocview.wss?uid=swg1LO84399

widget-config.xml

The use of {communitiesSvcRef} is more in line with the other contents of this file. It avoids needing to hard code the “url” and “iconUrl” values. Also, never call the xml or jpg using c:\ or /opt/IBM/ as the images will not show properly in a web browser.

The last thing that got this working was to remove any reference to the port number from “sametimeMeetingsServerUrl.” I had followed the knowledge center and added “:443″ to the end of it.

</widgetDef>
<widgetDef defId=”Meeting Rooms” primaryWidget=”false” modes=”view fullpage” uniqueInstance=”true” url=”{communitiesSvcRef}/MeetingRoomsWidget/MeetingRoomsWidget1.xml” iconUrl=”{communitiesSvcRef}/MeetingRoomsWidget/meetings-icon.jpg”>
<itemSet>
<item name=”sametimeMeetingsServerUrl” value=”https://meetings.collaborationben.com&#8221; />
<item name=”widgetFilePath” value=”/communities/MeetingRoomsWidget/” />
<item name=”communitiesBaseUrl” value=”{communitiesSvcRef}”/>
</itemSet>
</widgetDef>
<widgetDef defId=”Members” primaryWidget=”false” modes=”view fullpage” showInPalette=”false” uniqueInstance=”true” url=”{webresourcesSvcRef}/web/lconn.comm/communityMembers/communityMembers.xml?etag={version}” helpLink=”{helpSvcRef}/topic/com.ibm.lotus.connections.communities.help/t_com_membership_view.html”>
<itemSet>
<item name=”membersPerPage” value=”12″/>
<item name=”membersPerPageFullPage” value=”16″/>
</itemSet>
</widgetDef>

proxy-config.tpl

Be mindful of the forward slash and star in the “policy url.” Also, if you follow the example in the knowledge center then wsadmin will error when you try to check the file in because the order is incorrect (unless they have updated the entry).

<!– BEGIN CUSTOMIZATIONS HERE –>
<proxy:policy url=”https://meetings.collaborationben.com/*&#8221; acf=”none”>
<proxy:actions>
<proxy:method>GET</proxy:method>
<proxy:method>HEAD</proxy:method>
<proxy:method>POST</proxy:method>
<proxy:method>PUT</proxy:method>
<proxy:method>DELETE</proxy:method>
</proxy:actions>
<proxy:headers>
<proxy:header>X-ST-CSRF-Token</proxy:header>
<proxy:header>User-Agent</proxy:header>
<proxy:header>Accept.*</proxy:header>
<proxy:header>Content.*</proxy:header>
<proxy:header>Authorization.*</proxy:header>
<proxy:header>If-.*</proxy:header>
<proxy:header>Pragma</proxy:header>
<proxy:header>Cache-Control</proxy:header>
<proxy:header>X-Update-Nonce</proxy:header>
<proxy:header>WWW-Authenticate.*</proxy:header>
<proxy:header>Access.*</proxy:header>
</proxy:headers>
<proxy:cookies>
<proxy:cookie>LtpaToken</proxy:cookie>
<proxy:cookie>LtpaToken2</proxy:cookie>
<proxy:cookie>JSESSIONID</proxy:cookie>
</proxy:cookies>
</proxy:policy>

proxy-policy.dynamic

IBM suggested that I add this. I added the following entries early on in the course of the PMR to rule out AJAX proxy permissions. This may not be required but I haven’t tested it without it.

allow(“.*”, “.*”, “http\\:\\/\\/meetings\\.collaborationben\\.com\\/.*”);
allow(“.*”, “.*”, “https\\:\\/\\/meetings\\.collaborationben\\.com\\/.*”);

Creating a shared library

Don’t blindly copy and paste the contents of http://www-01.ibm.com/support/knowledgecenter/SSKTXQ_9.0.0/admin/install/inst_meet_rooms_widget_create_shared_lib.dita because in a previous step you unpacked the SDK files into different directories.

Error 412

The final error I got (after the 403) was a 412 error which is mentioned in the knowledge center and one that I came across in 4.5.

412 Failure to create a meeting room.
Possible cause:

The X-ST-CSRF-Token is invalid. Connections has set the HTTPONLY flag.

Workaround for error 412:
Note: Only implement this workaround if you understand its effects and consequences.

Log in to the WebSphere Integrated Solutions Console as the WebSphere administrator. (The URL ends with /ibm/console).
Click Servers > ServerTypes > WebSphere application servers.
Select the server you are working with.
In the Container settings section, click Web container settings > Web container.
In the Additional properties section, click Session management.
Click Enable cookies hyperlink.
Ensure that the Set session cookies to HTTPOnly to help prevent cross-site scripting attacks option is NOT selected.
Click Apply.
Resynchronize the nodes, and restart the WebSphere application server.

I disabled Set session cookies to HTTPOnly to help prevent cross-site scripting attacks for all the Connections applications servers, synced and restarted.

Testing

Since I only had the one community that had the widget applied to before the final changes I can’t say for sure they you will need to remove the widget and add it again or simply refresh it. You should experiment for yourselves and be mindful of any browser caching.

With this in mind, it should be working nicely for you.

View all

I have noticed that “view all” does nothing when clicked on it. I created six meeting rooms through the widget. The widget only shows five so I expected that it should take me to the “Meeting rooms” view where all rooms are shown. In Fiddler nothing is reported. I have asked the question of IBM.

Redirection of HTTP to HTTPS for Sametime is made possible by deploying a WebSphere proxy in front of Sametime Proxy or a Meeting server. Once configured you can use a routing rule to redirect a specific URL to another specific URL. What if you want every possible permutation to be directed to HTTPS?

It is well documented in http://blog.msbiro.net/2014/02/redir-htp-https-websphere-proxy-sametime-server.html and http://www-10.lotus.com/ldd/stwiki.nsf/dx/Forcing_Sametime_8.5.2_WebSphere_Application_server_to_use_HTTPS_TLS_encryption how to achieve this.

I have used the above method successfully for a while but it got me thinking how I would control a user accessing a meeting room directly as opposed to going to the meeting center which would be captured by the routing rule.

I raised a PMR after testing many scenarios with a WebSphere proxy fronting a Sametime Proxy and Meeting server and IBM told me that it is not possible with a WebSphere proxy but suggested I use IHS. Not his fault, he wasn’t a Sametime guy. But he did suggest that I take a look at using <transport-guarantee>CONFIDENTIAL</transport-guarantee>.

http://docs.oracle.com/javaee/5/tutorial/doc/bncbe.html describes how to achieve this. If you Google <transport-guarantee>CONFIDENTIAL</transport-guarantee> you will find a number of IBM docs on this which helps.

What I wasn’t sure of is whether to make the change in multiple places ie each war’s web.xml where there is a “<security-constraint>” stanza. It may be only appropriate to make the change on the login page and thus the war that relates to it but what if people went directly to a specific page bypassing the login page’s war.

I made the following changes on the SSC and then issued a full sync and restarted the STProxy. I also ensured that I had disabled the WebSphere proxies rule so that it didn’t step in.

[root@st9ssc ~]# cd /opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/st9sscSSCCell/applications
[root@st9ssc applications]# cp -r ./SametimeProxy.ear/ /tmp/SametimeProxy.ear.backup

[root@st9ssc applications]# cd /opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy
[root@st9ssc SametimeProxy]# ll
total 56
drwxr-xr-x 4 root root 4096 Jan  6  2014 autoaway.war
-rw-r–r– 1 root root 5208 Jun 15 11:49 deployment.xml
drwxr-xr-x 2 root root 4096 Oct 24  2013 META-INF
drwxr-xr-x 4 root root 4096 May 26 17:42 proxyutils.war
drwxr-xr-x 4 root root 4096 Oct 24  2013 screencapture.war
drwxr-xr-x 4 root root 4096 Jan  6  2014 stmobileweb.war
drwxr-xr-x 4 root root 4096 Oct 24  2013 stproxybase.war
drwxr-xr-x 4 root root 4096 Oct 24  2013 stproxymobile.war
drwxr-xr-x 4 root root 4096 Oct 24  2013 stproxyredirect.war
drwxr-xr-x 4 root root 4096 Oct 24  2013 stproxyservlet.war
drwxr-xr-x 4 root root 4096 Oct 24  2013 stproxyweb.war
drwxr-xr-x 4 root root 4096 Oct 24  2013 stwebav.war
drwxr-xr-x 4 root root 4096 Jan  6  2014 workclasses

[root@st9ssc SametimeProxy]# vi /opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stmobileweb.war/WEB-INF/web.xml

<security-constraint>
<web-resource-collection>
<web-resource-name>SametimeProxy methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<auth-constraint>
<description />
<role-name>AllUsers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

[root@st9ssc SametimeProxy]# vi /opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stproxybase.war/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>SametimeProxy methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<auth-constraint>
<description />
<role-name>AllUsers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

[root@st9ssc SametimeProxy]# vi /opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stproxymobile.war/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Mobile installation</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
<description />
<role-name>AllUsers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

[root@st9ssc SametimeProxy]# vi /opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stproxyredirect.war/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Sametime Proxy Server</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>AllAuthenticatedUsers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

[root@st9ssc SametimeProxy]# vi /opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stproxyservlet.war/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>rtc4web based WebApp and GUI</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>AllUsers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

[root@st9ssc SametimeProxy]# vi /opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stproxyweb.war/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>File Share methods</web-resource-name>
<url-pattern>/ajaxproxy/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<auth-constraint>
<description>All users, registered and unregistered</description>
<role-name>AllAuthenticatedUsers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>SametimeProxy methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description>All users, registered and unregistered</description>
<role-name>AllAuthenticatedUsers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

[root@st9ssc SametimeProxy]# vi /opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stwebav.war/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>WebAV Binaries Install Update</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
<description />
<role-name>AllUsers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Full sync.

[7/24/15 16:52:50:087 BST] 00000072 FileRepositor A   ADMR0012I: The repository epoch is refreshed.
[7/24/15 16:52:50:123 BST] 00000072 FileRepositor A   Repository epoch refresh
[7/24/15 16:52:54:307 BST] 00000664 FileRepositor A   ADMR0016I: User ldap.collaborationben.com:389/server:st9sscSSCCell_st9proxySTPNode1_nodeagent modified document cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stproxyweb.war/WEB-INF/web.xml.
[7/24/15 16:52:54:329 BST] 00000664 FileRepositor A   ADMR0017I: User ldap.collaborationben.com:389/server:st9sscSSCCell_st9proxySTPNode1_nodeagent deleted document cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stproxyweb.war/WEB-INF/.web.xml.swp.
[7/24/15 16:52:54:362 BST] 00000664 FileRepositor A   ADMR0016I: User ldap.collaborationben.com:389/server:st9sscSSCCell_st9proxySTPNode1_nodeagent modified document cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stwebav.war/WEB-INF/web.xml.
[7/24/15 16:52:54:416 BST] 00000664 FileRepositor A   ADMR0016I: User ldap.collaborationben.com:389/server:st9sscSSCCell_st9proxySTPNode1_nodeagent modified document cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stproxyredirect.war/WEB-INF/web.xml.
[7/24/15 16:52:54:456 BST] 00000664 FileRepositor A   ADMR0016I: User ldap.collaborationben.com:389/server:st9sscSSCCell_st9proxySTPNode1_nodeagent modified document cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stproxymobile.war/WEB-INF/web.xml.
[7/24/15 16:52:54:497 BST] 00000664 FileRepositor A   ADMR0016I: User ldap.collaborationben.com:389/server:st9sscSSCCell_st9proxySTPNode1_nodeagent modified document cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stmobileweb.war/WEB-INF/web.xml.
[7/24/15 16:52:54:534 BST] 00000664 FileRepositor A   ADMR0016I: User ldap.collaborationben.com:389/server:st9sscSSCCell_st9proxySTPNode1_nodeagent modified document cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stproxyservlet.war/WEB-INF/web.xml.
[7/24/15 16:52:54:609 BST] 00000664 FileRepositor A   ADMR0016I: User ldap.collaborationben.com:389/server:st9sscSSCCell_st9proxySTPNode1_nodeagent modified document cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stproxybase.war/WEB-INF/web.xml.
[7/24/15 16:52:55:856 BST] 00000664 NodeSyncTask  A   ADMS0003I: The configuration synchronization completed successfully.
[7/24/15 16:52:56:612 BST] 0000066c AppBinaryProc I   ADMA7021I: Distribution of application SametimeProxy completed successfully.

I still have the WebSphere proxy in front of STProxy which isn’t needed now but when ever I hit the STProxy or WebSphere proxy on their unsecured ports (WC_defaulthost or PROXY_HTTP_ADDRESS) I am redirected to the secure port of the application server (WC_defaulthost_secure).

Early testing looks good. I haven’t tested integration with Meetings, AV or mobile but I will do in time. Mobile may be a bit tricky as this is asking the client to redirect but I would have hoped the mobile app would have been configured to use HTTPS anyway.

One problem would be that each time the STProxy is updated from a fix from fix Central or IBM support these changes will be overwritten and will need to be made again. Also, this would do away with the need for a WebSphere proxy if it is being used solely for redirection to SSL. If you have a cluster of Meeting servers then you will still need WebSphere proxies.

In the circumstance of clustered WebSphere proxies the problem I see arising is that the redirection uses the secure port listed in the virtual host for the application server and not that of the WebSphere proxy. This means that unless the WebSphere proxy is on another host or bound to port 443 on a second NIC on the same node as the Meeting application server then you will not be able to redirect to 443 properly. You can’t have two things listening on 443 on the same host using the same NIC.

Nevertheless, without being able to use Apache or IHS this provides a useful alternative.

I like using objectGUID for Sametime servers that use AD as an LDAP source as it avoids running the name change task which quite frankly no one ever did.

The one thing that bugged me was checking user’s buddy lists from within vpuserinfo.nsf which is harder now the users name is replaced with their objectGUID.

You can get the users objectGUIID by running ldapsearch to get their ldif. The value returned is base64 encoded as seen below.

objectGUID:: rsfXUe2YI0uTmVfDZ0gMSQ==

This value does not match the documents in vpuserinfo.nsf.

If you get your hands on a Linux machine you can put the string through a decoder. There are web based alternatives available.

# echo rsfXUe2YI0uTmVfDZ0gMSQ== | base64 -d | xxd
0000000: aec7 d751 ed98 234b 9399 57c3 6748 0c49  …Q..#K..W.gH.I

If you add slashes after each two characters you can quickly see which document relates to the user.

For a customer I federated a secondary directory (SDS) to store external users in Connections 5.0 CR02. Their primary LDAP (AD) is used for employees. This is nothing new but what I found was that I couldn’t add groups from SDS as members within the external community. I also, couldn’t add groups from SDS to wikis or activities not that there’s any point doing this since external users cannot access these applications outside the community container.

Below is the stack trace I was seeing.

[9/25/15 7:59:19:491 BST] 0000472f MemberHelper  E com.ibm.tango.util.MemberHelper parseMemberDirectoryUuids
com.ibm.tango.exception.NotInDirectoryException: Received null directory data for group uuid: 6c97c140-f58e-1034-9213-b1677db2f55d
at com.ibm.tango.internal.service.core.GroupProfileBo.openByDirectoryUuid(GroupProfileBo.java:104)
at com.ibm.tango.internal.service.TangoServiceImpl.getGroupProfileByDirectoryUuid(TangoServiceImpl.java:7152)
at com.ibm.tango.internal.service.TangoServiceImpl.getGroupProfileByDirectoryUuid(TangoServiceImpl.java:7158)
at com.ibm.tango.util.MemberHelper.parseMemberDirectoryUuids(MemberHelper.java:183)
at com.ibm.tango.web.ui.actions.MemberAddSubmitAction.doActionExecute(MemberAddSubmitAction.java:239)
at com.ibm.tango.web.ui.actions.TangoAction.execute(TangoAction.java:144)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:421)…………………………….

I raised a PMR and quickly David McCarthy got on the case. He was able to reproduce. He found that by deleting the AD repository, leaving just SDS, he could add a group. After escalation to L3 they reported that there was a problem with the code and Directory Services (Waltz) were looking into it.

Today I was sent LO87091 which I applied and it now works.

This fix will be included in CR04 which I hear will be released in the new year after 5.5 has landed.

When applying the latest version of the Video MCU available on Fix Central 9001-ST-Media-FP-SPIR-9ZTF3Z I faced problems when configuring the VMCU to use a TURN server.

I uninstalled and tried again but the result was the same. I found a draft Technote which didn’t help.

Problem
“service soft_mcu status” returns “SoftMcu service is unavailable” although soft_mcu is up.
Symptom
“service soft_mcu status” returns “SoftMcu service is unavailable” although soft_mcu is up.
You will encounter errors in accessing setting of MCU in System Console Server (SSC).
“An error occurred while retrieving the IP service.” in accessing “Video MCU global settings”.
“An error occurred while retrieving Video MCU users.” in accessing “Manage Users”.
“An error occurred while retrieving alarm health status” in accessing “Active Alarms”.
“An error occurred while logger configuration data” in accessing “Configure Logging Settings”

Cause
Due to deletion of necessary files under /tmp by tmpwatch cron.
Environment
Linux OS.
Diagnosing the problem
Video MCU places some files under /tmp directory including httpd.listen.conf that is necessary for status check of Video MCU (“service soft_mcu status”).

Resolving the problem
If you can not find it, tmpwatch cron has deleted files under /tmp unaccessed for more than 10 days as default.  Chek your cron setting and delete or modify the settings.
Stopping and starting re-create necessary files under /tmp.

I also found After updating Sametime System Console not able to see settings for VMCU which I followed even though I had not installed the SSC hot fix SPIR-9VM7XJ. This didn’t work either. I raised a PMR. Waiting for it to make it’s way up to L3 is slow going so I decided to uninstall and use an older version of the VMCU, 9001-ST-Media-FP-SPIR-9RHDAJ, which I could configure and didn’t get “an error occurred while retrieving the IP service.”

There was a bit of too’ing and fro’ing and the long and short of it is that I got the SSC hotfix, which I applied, and then upgraded the VMCU but I still got “an error occurred while retrieving the IP service” when attempting to update the settings.

L3 responded and told me that there is a known problem configuring the TURN server from the SSC and below is how to manually configure these settings.

1. Open /mcms/Cfg/IPServiceListTmp.xml  (Make the backup of IPServiceListTmp.xml in case something goes wrong, so you can recover)
2. In SIP_ADVANCED section, set three parameters as below:
   1. Set ICE_ENVIRONMENT to iceEnvironment_standard. By default, value is iceEnvironment_none.
   2. Set STUN_SERVER_IP to TURN server IP.  By default, value is 0.0.0.0
   3. Set TURN_SERVER_IP to TURN server IP.  By default, value is 0.0.0.0

During a build in a development environment on RHEL 6.7 for a customer I came across “unable to read data from SIP Proxy, check error logs for more detail.” This was after installing the combined PR & CF and attempting to update the domain name.

I found a Technote, Audio and Video is not available in Sametime – Error: “Unable to read data from SIP registrar, check error logs for more details” which was of no use to me.

In the deployment manager  SystemOut.log I saw the following:

[10/29/15 10:07:15:105 GMT] 000001cc config        W ConfigurationHelper validateConfig AVKPR1008E: Exception
org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element ‘locationServiceType’. One of ‘{domains}’ is expected.
at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)
at org.apache.xerces.util.ErrorHandlerWrapper.error(Unknown Source)

**************

[10/29/15 10:08:41:475 GMT] 00000170 proxy         E ProxyConfigWriter writeConfigFile AVKPR1008E: Exception
com.ibm.sip.config.ConfigurationMBeanException: cells/devsama001SSCCell/nodes/devsama00STMSNode2/servers/STMediaServer/proxy.xml

*************

[10/29/15 10:08:44:321 GMT] 00000170 registrar     E RegistrarConfigWriter writeConfigFile AVKPR1008E: Exception
com.ibm.sip.config.ConfigurationMBeanException: cells/devsama001SSCCell/nodes/devsama00STMSNode2/servers/STMediaServer/registrar.xml

# vi ./opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/CELL/nodes/NODE/servers/STMediaServer/proxy.xml

<?xml version=”1.0″ encoding=”UTF-8″?>
<!– Copyright IBM Corp. 2008, 2014  All Rights Reserved.              –>

<!–
SIP Proxy server configuration file.
–>
<config>

<!–
Proxy settings:
isRecordRoute – true/false
Indicates whether the SIP Proxy remains on the SIP signaling path (works in a record-route mode)

isParallel – true/false
Indicates whether the SIP Proxy uses parallel or sequential search.

appSessionExpiration
Specifies application session expiration value in minutes

timerC
timer C value in minutes. This value must be greater than or equal to 3, recommended value is
3-5 minutes. This timer is set for each client transaction when an INVITE request is proxied.

routeRules –
Specifies a set of route rules that contains route conditions and destination address.
The routing rules are used to to determine the destination of the request.

–>

<proxy isRecordRoute=”true” isParallel=”false” appSessionExpiration=”10″
timerC=”4″ addDestinationPublicIP=”false”
locationServiceType=”dynamicCache”/>
<!–
<routeRules>
<rule priority=”” name=”” description=””>
<condition type=”method”></condition>
<condition type=”sourceAddress”></condition>
<condition type=”requestURI”></condition>
<condition type=”header” headerName=””></condition>
<destination>
<output>
<inputPattern type=”requestURI” value=””/>
<outputPattern type=”header” headerName=”Route” value=””/>
</output>
</destination>
</rule>
</routeRules>
–>
<domains>       <domain name=”devsama004.brockcloud.uk”/>       </domains> </config>

I compared this with another deployment which runs a slightly older version of 9 and it doesn’t have the text in bold above and looks like the following.

    <proxy isRecordRoute=”true” isParallel=”false” appSessionExpiration=”10″
timerC=”4″ addDestinationPublicIP=”false”/>

# cd /opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/devsama001SSCCell/nodes/devsama00STMSNode2/servers/STMediaServer/

# cp ./proxy.xml ./proxy.xml.orig

# vi ./proxy.xml

I removed the offending line and then sync’d the nodes, logged out of the SSC and now I can update the Handled Domains sections without an error.

Once I build in production I will see whether the same problem is observed. If so, I will raise a PMR to check whether my workaround is valid. BTW – I was using the latest version of the SSC and Media Manager available from Fix Central.

During a database transfer from Connections 4.5 CR05 (DB2 10.1) to Connections 5.5 (DB2 10.5.0.7) I ran across a number of transfer failures using the tool. After a bit of digging such as looking at db2diag.log and DB2 Technotes I found the problem was that the DB2 transaction logs were being filled. Below are some example errors.

[02/03/16 16:33:26.659 CET] com.ibm.db2.jcc.am.SqlTransactionRollbackException: Error for batch element #1: DB2 SQL Error: SQLCODE=-1476, SQLSTATE=40506, SQLERRMC=-964, DRIVER=3.69.49
[02/03/16 16:33:26.659 CET] com.ibm.db2.jcc.am.SqlException: [jcc][103][10843][3.69.49] Non-recoverable chain-breaking exception occurred during batch processing.  The batch is terminated non-atomically. ERRORCODE=-4225, SQLSTATE=null
[02/03/16 16:33:26.659 CET] error.executing.transfer
err.dbtransfer.exception.labelclass com.ibm.db2.jcc.am.BatchUpdateException: [jcc][t4][102][10040][3.69.49] Batch failure.  The batch was submitted, but at least one exception occurred on an individual member of the batch.
Use getNextException() to retrieve the exceptions for specific batched elements. ERRORCODE=-4229, SQLSTATE=null
com.ibm.db2.jcc.am.BatchUpdateException: [jcc][t4][102][10040][3.69.49] Batch failure.  The batch was submitted, but at least one exception occurred on an individual member of the batch.
Use getNextException() to retrieve the exceptions for specific batched elements. ERRORCODE=-4229, SQLSTATE=null

Db2diag.log

EDUID   : 1580                 EDUNAME: db2agent (METRICS) 0
FUNCTION: DB2 UDB, data protection services, sqlpgResSpace, probe:6666
MESSAGE : ZRC=0x85100009=-2062548983=SQLP_NOSPACE
“Log File has reached its saturation point”
DIA8309C Log file was full.

In http://www-01.ibm.com/support/docview.wss?uid=swg21623212 it suggests increasing the sizes for LogFilSiz, LogPrimary, and LogSecond. On the second attempt changing these settings I found values that worked (for me).

db2 update db cfg for metrics using LOGFILSIZ 10000
db2 update db cfg for metrics using LOGPRIMARY 80
db2 update db cfg for metrics using LOGSECOND 40
db2stop
db2start

I had to increase the default values for Metrics and Profiles as they contain a lot of data.

You may want to reset the values after migration so you do not impact disk space.

Following on from Error accessing Sametime SIP Proxy Registrar in SSC I did indeed come across the same problem when building the customer’s production servers. This time I raised a PMR and it seems that it is known about though I only know if it is a possible match for HF#OHAH-9VMHYR. I sent IBM all the instances I had of ProxyRegCommon.jar on the SSC and combined PR & CF and they told me that the one I want to use is the one in bold below and that I should replace all other instances with it.

It’s important to configure IHS to handle downloading of files. I have seen customer environments fail due to out or memory conditions when WAS handles the downloading of files which is not it’s primary role.

Configuring IHS downloads for CCM always stumps me so for once I will write it down in the form of this blog. A frustration is that IBM’s Connections Knowledge Center fails, with each version of Connections, to provide an easy to follow guide. It should only take about 30 minutes to do this but inevitably it takes longer due to poor documentation.

My current project is on Windows so the paths below will differ on *nix.

You need to update httpd.conf as follows.

Alias /library_content_cache “D:/IBM/Connections/data/shared/ccmcache”

<Directory “D:/IBM/Connections/data/shared/ccmcache”>
Order Deny,Allow
Deny from all
Allow from env=REDIRECT_LIBRARIES_CONTENT
</Directory>

<Location /dm>
IBMLocalRedirect On
IBMLocalRedirectKeepHeaders X-LConn-Auth,Cache-Control,Content-Type,Content-Disposition,Last-Modified,ETag,Content-Language,Set-Cookie,Title,X-UA-Compatible
SetEnv LIBRARIES_CONTENT true
</Location>

RequestHeader append LIBRARIES_CONTENT true

Now you need to update fncs-sitePrefs.properties

The documentation says you need to update D:\IBM\Connections\FNCS\configure\explodedformat\fncs\WEB-INF\classes\fncs-sitePrefs.properties with the following

anonymousAccessEnabled=true
enablePropertySheetTemplateMinMax=true
cdhc_isEnabled=true
cdhc_urlPath=/library_content_cache
cdhc_rootPath=D:/IBM/Connections/data/shared/ccmcache
cdhc_guardHeader=LIBRARIES_CONTENT
fncsServerURL=http://connections.collaborationben.com
fncsServerURLSecure=https://connections.collaborationben.com
icURI=https://connections.collaborationben.com

This is all good an well but these values will not make their way into the application unless you redeploy it which is a pain. Michael Urspringer provided a nice work around by adding the values to D:\IBM\WebSphere\AppServer\profiles\AppSrv01\installedApps\Cell01\navigator.ear\fncs.war\WEB-INF\classes\fncs-sitePrefs.properties which will, after a CCMCluster restart, apply the changes circumnavigating deploying the application.

You need to make sure that the above file and D:\IBM\Connections\FNCS\configure\explodedformat\fncs\WEB-INF\classes\fncs-sitePrefs.properties are the same in case you redeploy the application which will over write the same file in navigator.ear.

There was a bit of trial and error to get the correct syntax in fncs-sitePrefs.properties. The value for cdhc_rootPath did not like “” nor did it like backwards slashes as detailed in various IBM documents.

Nearing the end of a 4.5 -> 5.5 migration of IBM Connections I hundreds of lines of exceptions in the Infrastructure SystemOut.log. These exceptions only appeared after the content store and database data were transferred to the target. I couldn’t see a problem in the UI whatsoever, this worries me more than if I did come up with an error somewhere.

[3/8/16 16:20:19:148 CET] 0000085d SRTServletRes W com.ibm.ws.webcontainer.srt.SRTServletResponse setStatus WARNING: Cannot set status. Response already committed.
[3/8/16 16:20:19:148 CET] 0000085d SRTServletRes W com.ibm.ws.webcontainer.srt.SRTServletResponse addHeader SRVE8094W: WARNING: Cannot set header. Response already committed.
[3/8/16 16:20:19:148 CET] 0000085d WASSessionCor W SessionAffinityManager setCookie SESN0066E: The response is already committed to the client. The session cookie cannot be set.
[3/8/16 16:20:19:148 CET] 0000085d SystemOut     O java.lang.IllegalStateException
[3/8/16 16:20:19:148 CET] 0000085d SystemOut     O     at com.ibm.ws.webcontainer.srt.SRTServletResponse.addSessionCookie(SRTServletResponse.java:2175)
[3/8/16 16:20:19:148 CET] 0000085d SystemOut     O     at com.ibm.ws.session.SessionAffinityManager.setCookie(SessionAffinityManager.java:589)
[3/8/16 16:20:19:148 CET] 0000085d SystemOut     O     at com.ibm.ws.session.SessionManager.adaptAndSetCookie(SessionManager.java:747)
[3/8/16 16:20:19:148 CET] 0000085d SystemOut     O     at com.ibm.ws.session.SessionManager.createSession(SessionManager.java:734)
[3/8/16 16:20:19:148 CET] 0000085d SystemOut     O     at com.ibm.ws.session.SessionContext.getIHttpSession(SessionContext.java:505)
[3/8/16 16:20:19:148 CET] 0000085d SystemOut     O     at com.ibm.ws.session.SessionContext.getIHttpSession(SessionContext.java:426)
[3/8/16 16:20:19:148 CET] 0000085d SystemOut     O     at com.ibm.ws.webcontainer.srt.SRTRequestContext.getSession(SRTRequestContext.java:113)
[3/8/16 16:20:19:148 CET] 0000085d SystemOut     O     at com.ibm.ws.webcontainer.srt.SRTServletRequest.getSession(SRTServletRequest.java:2168)
[3/8/16 16:20:19:148 CET] 0000085d SystemOut     O     at com.ibm.ws.webcontainer.srt.SRTServletRequest.getSession(SRTServletRequest.java:2152)

These exceptions were triggered every 11 minutes.

[3/8/16 16:51:30:018 CET] 00000c98 ThreadHttpReq E   Exception with request in this thread : null
[3/8/16 16:51:30:018 CET] 00000c98 ThreadHttpReq E   Exception with request in this thread : null
[3/8/16 16:52:00:018 CET] 00000c9b ThreadHttpReq E   Exception with request in this thread : null
[3/8/16 16:52:00:018 CET] 00000c9b ThreadHttpReq E   Exception with request in this thread : null

The above exception appeared constantly. This exception stopped after clearing the /temp, /wstemp and /translog directories but the other exceptions remained.

Enabling trace got me a bit more.

[3/8/16 16:20:19:148 CET] 0000085d SRTServletRes W com.ibm.ws.webcontainer.srt.SRTServletResponse setStatus WARNING: Cannot set status. Response already committed.
[3/8/16 16:20:19:148 CET] 0000085d SRTServletRes W com.ibm.ws.webcontainer.srt.SRTServletResponse addHeader SRVE8094W: WARNING: Cannot set header. Response already committed.
[3/8/16 16:20:19:148 CET] 0000085d ServletWrappe > com.ibm.ws.webcontainer.servlet.ServletWrapper handleRequest ServletWrapper[/ic/errors/errorMini.jsp:null] ,request-> com.ibm.lconn.core.web.util.lang.I18NFilter$LCServletRequest@afb184af ,response-> com.ibm.ws.webcontainer.srt.SRTServletResponse@9bd4bb03 ENTRY
[3/8/16 16:20:19:148 CET] 0000085d ServletWrappe 1 com.ibm.ws.webcontainer.servlet.ServletWrapper handleRequest   request—>/connections/opensocial/basic/rest/activitystreams/@me/@all/@all<—
[3/8/16 16:20:19:148 CET] 0000085d ServletWrappe 1 com.ibm.ws.webcontainer.servlet.ServletWrapper handleRequest handling request for resource [/connections/opensocial/ic/errors/errorMini.jsp]
[3/8/16 16:20:19:148 CET] 0000085d ServletWrappe > com.ibm.ws.webcontainer.servlet.ServletWrapper loadServlet, className–>[com.ibm._jsp._errorMini], servletName[/ic/errors/errorMini.jsp] ENTRY
[3/8/16 16:20:19:148 CET] 0000085d ServletWrappe < com.ibm.ws.webcontainer.servlet.ServletWrapper loadServlet, Found target for className–>[com.ibm._jsp._errorMini], servletName[/ic/errors/errorMini.jsp] RETURN
[3/8/16 16:20:19:148 CET] 0000085d ServletWrappe 3 com.ibm.ws.webcontainer.servlet.ServletWrapper handleRequest internal servlet –> false
[3/8/16 16:20:19:148 CET] 0000085d ServletWrappe > com.ibm.ws.webcontainer.servlet.ServletWrapper service  ENTRY  this->[ServletWrapper[/ic/errors/errorMini.jsp:null]] ,className–>[com.ibm._jsp._errorMini] ,request->[com.ibm.lconn.core.web.util.lang.I18NFilter$LCServletRequest@afb184af] ,response->[com.ibm.ws.webcontainer.srt.SRTServletResponse@9bd4bb03
[3/8/16 16:20:19:148 CET] 0000085d WASSessionCor W SessionAffinityManager setCookie SESN0066E: The response is already committed to the client. The session cookie cannot be set.
[3/8/16 16:20:19:148 CET] 0000085d SystemOut     O   java.lang.IllegalStateException
[3/8/16 16:20:19:148 CET] 0000085d SystemOut     O       at com.ibm.ws.webcontainer.srt.SRTServletResponse.addSessionCookie(SRTServletResponse.java:2175)
[3/8/16 16:20:19:148 CET] 0000085d SystemOut     O       at com.ibm.ws.session.SessionAffinityManager.setCookie(SessionAffinityManager.java:589)
[3/8/16 16:20:19:148 CET] 0000085d SystemOut     O       at com.ibm.ws.session.SessionManager.adaptAndSetCookie(SessionManager.java:747)
[3/8/16 16:20:19:148 CET] 0000085d SystemOut     O       at com.ibm.ws.session.SessionManager.createSession(SessionManager.java:734)

In access_log I saw the following.

x.x.x.x – – [08/Mar/2016:16:20:19 +0100] “POST /connections/opensocial/basic/rest/activitystreams/@me/@all/@all HTTP/1.1” 400 68

I raised a PMR and Kevin Holohan quickly got back to me asking me to step through “Mass notifications from CCM.” I wondered how this would fit in with my problem but performed the following steps:

db2 connect to FNOS

db2 select count(*) as ROWS from LCUSER.UT_CLBACTIVITYSTREAMQUEUEENT

ROWS
———–
        938

db2 “select count(*) as REMOVED  from LCUSER.UT_CLBACTIVITYSTREAMQUEUEENT where ENTRY_STATUS = 2 AND OBJECT_ID <> x’00000000000000000000000000
000000′”

REMOVED
———–
        937

db2 “DELETE FROM LCUSER.UT_CLBACTIVITYSTREAMQUEUEENT WHERE ENTRY_STATUS = 2 AND OBJECT_ID <> x’00000000000000000000000000000000′”

db2 select count(*) as ROWS from LCUSER.UT_CLBACTIVITYSTREAMQUEUEENT

ROWS
———–
          1

Of course I backed up FNOS first and dropped the application servers before doing this. On start up the exceptions are no more and I have a clean log

As this system was not in production yet I do not know whether old notifications were being sent.

Just yesterday another customer called me for a different reason but I saw exactly the same exceptions in their logs and sent him the steps I used above. This morning he pinged me an email to tell me the exceptions have stopped. This customer is a big user of CCM and migrated to 5.0 from 4.5 a number of months ago. He had over 27000 rows in LCUSER.UT_CLBACTIVITYSTREAMQUEUEENT and his users had not received old notifications like the developerworks blog.

I will add this to my migration steps from no onwards when migrating CCM.

For a number of IBM Connections v5.0 customers I have come across problems with Surveys occasionally and unpredictably stop working. Users would get a screen that wouldn’t load or a 500 error like below.

There seems to be two sets of errors which I will describe below.

First I must say this was a frustrating journey with IBM. There seems to be a lack of joined up thinking between the FEB and Connections teams. The FEB teams kept telling me that certain configuration was required whilst this was not present in any of the Connections documentation.

[10/13/15 18:45:59:092 BST] 000005a9 StandardExcep E com.ibm.form.nitro.platform.StandardExceptionMapper toResponse 205d4fed-6a97-4ba7-804b-dbf1ad97554d
                                 com.ibm.pdq.runtime.exception.DataRuntimeException: [pdq][10103][2.18.120] An error prevented the update operation from completing successfully.;  Caused by: com.ibm.db2.jcc.am.SqlIntegrityConstraintViolationException: The insert or update value of the FOREIGN KEY “FREEDOM.USER_GROUPS.U_UG_FK” is not equal to any value of the parent key of the parent table.. SQLCODE=-530, SQLSTATE=23503, DRIVER=3.65.110
    at com.ibm.pdq.runtime.internal.db.JdbcData.update_(JdbcData.java:388)
    at com.ibm.pdq.runtime.internal.db.DataImpl.update(DataImpl.java:695)
    at com.ibm.pdq.runtime.generator.BaseData.update(BaseData.java:906)

Caused by: com.ibm.db2.jcc.am.SqlIntegrityConstraintViolationException: The insert or update value of the FOREIGN KEY “FREEDOM.USER_GROUPS.U_UG_FK” is not equal to any value of the parent key of the parent table.. SQLCODE=-530, SQLSTATE=23503, DRIVER=3.65.110
    at com.ibm.db2.jcc.am.cd.a(cd.java:694)
    at com.ibm.db2.jcc.am.cd.a(cd.java:60)

IBM said that this was a duplicate data problem but did not provide me with any more information as to what data so I blindly updated /opt/ibm/Forms/extensions/Builder_config.properties in line with their suggestions. I unremmed the following and set the values appropriately.

ibm.was.MemberManager.userProps.loginName = uid
#
ibm.was.MemberManager.userProps.id = uid
#
ibm.was.MemberManager.groupProps.id = cn
#
ibm.was.MemberManager.userProps.email = mail
#
ibm.was.MemberManager.userProps.displayName = displayName

IBM wanted me to set the following value but by replacing it with https://server.com/forms but this broke Surveys each and every time without fail.

#ibm.nitro.NitroConfig.serverURI = http://host:9080/forms

If I set ibm.nitro.NitroConfig.serverURI then Surveys does not load in a Community. When I amend Builder_config.properties and set serverURI I also see the following in the SystemOut.log

[2/5/16 16:51:23:023 GMT] 000011b2 PropertyUtils W com.ibm.form.platform.service.common.util.PropertyUtils updateProperties Unable to find accessible set method for the property called serverURI within class class com.ibm.form.nitro.service.config.NitroConfig.
[2/5/16 16:51:23:076 GMT] 000011b2 PropertyUtils W com.ibm.form.platform.service.common.util.PropertyUtils updateProperties Unable to find accessible set method for the property called serverURI within class class com.ibm.form.nitro.service.config.NitroConfig.

IBM finally stopped asking me to set ibm.nitro.NitroConfig.serverURI and for a short period of time Surveys worked.

The following error is what appeared after I made the above changes. IBM said that they had seen this before but at the time, only two other customers had come across it so they have not had a chance to determine the cause.

[1/19/16 14:44:45:871 GMT] 00000486 webapp E com.ibm.ws.webcontainer.webapp.WebApp logServletError SRVE0293E: [Servlet Error]-[fspServlet]: java.lang.NullPointerException
at com.ibm.form.platform.service.startup.IsolatingClassLoader$3.run(IsolatingClassLoader.java:414)
at com.ibm.form.platform.service.startup.IsolatingClassLoader$3.run(IsolatingClassLoader.java:408)
at java.security.AccessController.doPrivileged(AccessController.java:284)
at com.ibm.form.platform.service.startup.IsolatingClassLoader.findResourceAsStreamA(IsolatingClassLoader.java:406)
at com.ibm.form.platform.service.startup.IsolatingClassLoader.findResourceAsStream(IsolatingClassLoader.java:227)
at com.ibm.form.platform.service.startup.IsolatingClassLoader.getResourceAsStream(IsolatingClassLoader.java:987)

[1/19/16 14:48:59:100 GMT] 00000136 webapp I com.ibm.ws.webcontainer.webapp.WebApp log SRVE0296E: [Forms Experience Builder#builder.war][/forms][Servlet.LOG]:.fspServlet: SimplifiedPlatformAccessServlet.service():.java.lang.NullPointerException
at com.ibm.form.platform.service.startup.IsolatingClassLoader$7.run(IsolatingClassLoader.java:1189)
at com.ibm.form.platform.service.startup.IsolatingClassLoader$7.run(IsolatingClassLoader.java:1177)
at java.security.AccessController.doPrivileged(AccessController.java:284)
at com.ibm.form.platform.service.startup.IsolatingClassLoader.loadClassFromJarA(IsolatingClassLoader.java:1174)
at com.ibm.form.platform.service.startup.IsolatingClassLoader.findClass(IsolatingClassLoader.java:181)
at com.ibm.form.platform.service.startup.IsolatingClassLoader.loadClass(IsolatingClassLoader.java:1049)
at com.ibm.form.platform.service.startup.IsolatingClassLoader.loadClass(IsolatingClassLoader.java:1140)

At the same time as the above errors, in the trace.log, I found the following. This appeared when I tried to add the widget to a community.

[1/19/16 14:44:45:873 GMT] 00000285 ServerToServe E com.ibm.connections.httpClient.ServerToServerHttpClient checkResultsForRetry SONATA: Internal Server Error @’https://server.com/forms/secure/org/lifecycle&#8217;;
[1/19/16 14:44:45:875 GMT] 00000285 EventPropagat E com.ibm.lconn.widgets.service.EventPropagater postRemoteEvent CLFWZ0004E: Event ‘widget.added’ sent to remote lifecycle handler at https://server.com/forms/secure/org/lifecyclereturned bad response: 500 – Internal Server Error
[1/19/16 14:44:45:886 GMT] 00000285 AddWidgetActi E com.ibm.lconn.widgets.actions.AddWidgetAction execute CLFWZ0004E: Event ‘widget.added’ sent to remote lifecycle handler at https://server.com/forms/secure/org/lifecyclereturned bad response: 500 – Internal Server Error
com.ibm.lconn.widgets.model.LifecycleStatusCodeException: CLFWZ0004E: Event ‘widget.added’ sent to remote lifecycle handler at https://server.com/forms/secure/org/lifecyclereturned bad response: 500 – Internal Server Error
at com.ibm.lconn.widgets.service.EventPropagater.postRemoteEvent(EventPropagater.java:569)
at com.ibm.lconn.widgets.service.EventPropagater.addWidget(EventPropagater.java:753)
at com.ibm.lconn.widgets.service.WidgetInfoService.addWidgetPropagateInternal(WidgetInfoService.java:285)
at com.ibm.lconn.widgets.service.WidgetInfoService.addWidget(WidgetInfoService.java:376)

IBM put the 500 error down to not using ibm.nitro.NitroConfig.serverURI!!! IBM did say that redoing the configuration for the resource bundle will resolve the 500 errors in case there is a corruption. If there was a corruption it would never work! Redoing the configuration requires a restart, that seems to be the only way to restore Surveys albeit temporarily.

After making the changes to Builder_config.properties and monitoring the servers the errors appeared again. IBM set up a conference call and it was clear IBM did not really have anything to offer.

On the call I read through the instructions to deploy without the installer (http://www.ibm.com/support/knowledgecenter/SS6KJL_8.5.1/FEB/in_deploying_was.dita?lang=en) and the only difference I could see between this documentation and the current configuration which was configured by the installer is with the setting fullyMaterializeLobData.

In all the environments, Data sources > IBM_FORMS_DATA_SOURCE > Custom properties change fullyMaterializeLobData = true whilst the knowledge center says it should be false. IBM jumped on to that since it was an action for me to do. Anyway, I changed this custom property and for a good few weeks I have not seen the errors appear and Surveys has continued to work.

I’m hoping this is the end to it and I have been configuring all new 5.0 and 5.5 servers with this in mind.

In Firefox 43 and above it will not allow you to install unsigned plugins. The effect this has on the WebPlayer plugin is as per the screen shot. A customer made me aware so I tested it with other Sametime deployments I support and the same error was seen.

The error “the add-on download from this site could not be installed because it appears to be corrupt” is not terribly informative. After a couple of hours digging I found https://support.mozilla.org/en-US/kb/add-on-signing-in-firefox?as=u&utm_source=inproduct which told me to make changes to the configuration of Firefox. Hardly something that could be done en mass.

Type about:config into the URL bar in Firefox
In the Search box type xpinstall.signatures.required
Double-click the preference, or right-click and selected “Toggle”, to set it to false.

I raised a PMR and initially I was given the same workaround above or to use the desktop installer which is not available to users in STProxy or a Meeting room. Neither was a viable option.

IBM got in touch again and provided me with with a development hotfix, SMOL-A7UFVE. This involved replacing STWebPlayer.xpi and STWebPlayerMac.xpi for both the Sametime Proxy and Meeting servers.

I also needed to ensure that I was on a specific version, 9,0,0,1523.

# cat /opt/IBM/WebSphere/AppServer/profiles/****STPPNProfile1/installedApps/****SSCCell/SametimeProxy.ear/stwebav.war/VersionInfo.properties
# *****************************************************************
#
# Licensed Materials – Property of IBM
#
# L-MCOS-96LPYH
#
# Copyright IBM Corp. 2015  All Rights Reserved.
#
# US Government Users Restricted Rights – Use, duplication or
# disclosure restricted by GSA ADP Schedule Contract with
# IBM Corp.
#
# *****************************************************************

WebPlayer=9,0,0,1523
Softphone=9.0.0.1869

# cat /opt/IBM/WebSphere/AppServer/profiles/****STPPNProfile1/installedApps/****SSCCell/SametimeProxy.ear/stwebav.war/VersionInfo.txt
WebPlayer Version = 9,0,0,1523
Plugin Version = 9.0.0.1869

L3 also informed me that I needed to update stproxyconfig.xml to mirror the version which I was able to do from the SSC.

/opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/****SSCCell/nodes/****STPNode1/servers/STProxyServer/stproxyconfig.xml

<webaudiovideo>
<playerver>9,0,0,1523</playerver>
<softphonepluginver>9.0.0.1869</softphonepluginver>
</webaudiovideo>

I found that it worked without needing to do the above to stproxyconfig.xml.

With the hotfix I was able to get the plugin working for a number of environments. If you are not running the latest version of Sametime Proxy and Meetings then you may need to upgrade to the latest from Fix Central but you should seek guidance from IBM.

In IBM’s hosted deployment of Meetings the plugin cannot be installed via a web browser extension/add-on, you can only install it via the desktop installer. Like IBM’s hosted environment I envisage that in 9.0.1 the plugin will only be available via a desktop installer. I hope that IBM are looking at alternatives to the plugin that work in Chrome too after it dropped support for NPAPI plugins. I would love to see WebRTC being used to replace a plugin or client. I understand that this would have it’s challenges but it’s already being done with Liberty Profile and Dialogic media server and may help differentiate Sametime from Skype and other AV solutions.